The parameter groupName cannot be used with the parameter subnet - amazon-web-services

AWSTemplateFormatVersion: 2010-09-09
Parameters:
MyKeyName:
Description: Select the key name from the list
Type: AWS::EC2::KeyPair::KeyName
Instancetypes:
Type: String
AllowedValues:
- t2.micro
- t2.nano
Resources:
myEC2Instance:
Type: AWS::EC2::Instance
Properties:
KeyName: !Ref MyKeyName
ImageId: ami-0323c3dd2da7fb37d
InstanceType: !Ref Instancetypes
SecurityGroupIds:
- default
- !Ref SSHSecurityGroup
SubnetId: !Ref subnet1
Tags:
- Key: Name
Value: EC2
SSHSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: my new SSH security group
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: 0.0.0.0/0
VpcId: !Ref LocalVPC
LocalVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: true
subnet1:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-1a
VpcId: !Ref LocalVPC
CidrBlock: 10.0.1.0/24
subnet2:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-1b
VpcId: !Ref LocalVPC
CidrBlock: 10.0.2.0/24
subnet3:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-1c
VpcId: !Ref LocalVPC
CidrBlock: 10.0.3.0/24
routeTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: LocalVPC
routeName:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref routeTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref igwName
routeTableAssocName:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref subnet1
RouteTableId: !Ref routeTable
igwName:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: keyname
Value: valuea
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref LocalVPC
InternetGatewayId: !Ref igwName
enter image description here


SecurityGroupIds takes a Group ID, rather then a Group Name:
SecurityGroupIds:
- !GetAtt SSHSecurityGroup.GroupId

Related

Setting up Redash Instance in private subnet. EC2 status check failed

Issue Summary
I would like to set up Redash Instance in private subnet, but it didn’t work well. The instance status check is “1/2 failed”.
The question is whether there is some necessary setting in addition to the setting introduced in the website(https://redash.io/help/open-source/setup).
For your information, if I place the redash instance on the public subnet, it works well.
Technical details:
AMI: ami-060741a96307668be
EC2 size: t2.small
the private subnet has NAT Gateway
CloudFormation template is below.(I removed parameters because those were kind of secret information. The parameters are correct because I checked those parameters with public subnet. So please check the other part, Thank you.)
AWSTemplateFormatVersion: '2010-09-09'
Description: This template is used for creating redash analysis foundation
Resources:
####################################################################################################
#### NetWork Setting
####################################################################################################
RedashInstancePrivateSubnetA:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: ap-northeast-1a
CidrBlock: !Ref PrivateSubnetACidrBlock
VpcId: !Ref VpcId
PrivateSubnetARoute:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PrivateSubnetRouteTable
SubnetId: !Ref RedashInstancePrivateSubnetA
PrivateSubnetRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VpcId
NATGatewayForPrivateSubnetA:
Type: AWS::EC2::NatGateway
Properties:
AllocationId: !GetAtt NATGatewayAEIP.AllocationId
SubnetId: !Ref RedashALBPublicSubnetA
NATGatewayAEIP:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
PrivateARoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PrivateSubnetRouteTable
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref NATGatewayForPrivateSubnetA
RedashALBPublicSubnetA:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: ap-northeast-1a
CidrBlock: !Ref PublicSubnetACidrBlock
VpcId: !Ref VpcId
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VpcId
PublicRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Sub ${InternetGatewayId}
PublicSubnetARoute:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref RedashALBPublicSubnetA
####################################################################################################
#### Re:dash EC2 Instance
####################################################################################################
RedashInstance:
Type: AWS::EC2::Instance
Properties:
LaunchTemplate:
LaunchTemplateId: !Ref RedashInstanceLaunchTemplate
Version: !GetAtt RedashInstanceLaunchTemplate.LatestVersionNumber
SubnetId: !Ref RedashInstancePrivateSubnetA
RedashInstanceLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: redash-isntance-lt
LaunchTemplateData:
SecurityGroupIds:
- !Ref RedashInstanceSecurityGroup
ImageId: ami-060741a96307668be
InstanceType: t2.small
RedashInstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: This Security Group is used for Re:dash Instance
GroupName: redash-instance-sg
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupId: !Ref RedashALBSecurityGroup
VpcId: !Ref VpcId
From marcin's comment, I try the template below, but it did not work well, ec2 status check shows '1/2 failed'
AWSTemplateFormatVersion: '2010-09-09'
Description: This template is used for creating redash analysis foundation
Resources:
####################################################################################################
#### NetWork Setting
####################################################################################################
RedashInstancePrivateSubnetA:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: ap-northeast-1a
CidrBlock: 172.18.0.0/24
VpcId: <VPCID>
Tags:
- Key: Name
Value: Private
PrivateSubnetARoute:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PrivateSubnetRouteTable
SubnetId: !Ref RedashInstancePrivateSubnetA
PrivateSubnetRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: <VPCID>
NATGatewayForPrivateSubnetA:
Type: AWS::EC2::NatGateway
Properties:
AllocationId: !GetAtt NATGatewayAEIP.AllocationId
SubnetId: !Ref RedashALBPublicSubnetA
NATGatewayAEIP:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
PrivateARoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PrivateSubnetRouteTable
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref NATGatewayForPrivateSubnetA
RedashALBPublicSubnetA:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: ap-northeast-1a
CidrBlock: 172.18.2.0/24
VpcId: <VPCID>
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: Public
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: <VPCID>
PublicRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: <INTERNETGATEWAYID>
PublicSubnetARoute:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref RedashALBPublicSubnetA
####################################################################################################
#### Re:dash EC2 Instance
####################################################################################################
RedashInstance:
Type: AWS::EC2::Instance
Properties:
LaunchTemplate:
LaunchTemplateId: !Ref RedashInstanceLaunchTemplate
Version: !GetAtt RedashInstanceLaunchTemplate.LatestVersionNumber
SubnetId: !Ref RedashInstancePrivateSubnetA
RedashInstanceLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: redash-isntance-lt
LaunchTemplateData:
SecurityGroupIds:
- !Ref RedashInstanceSecurityGroup
ImageId: ami-060741a96307668be
InstanceType: t2.small
RedashInstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: This Security Group is used for Re:dash Instance
GroupName: redash-instance-sg
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
#SourceSecurityGroupId: !Ref RedashALBSecurityGroup
VpcId: <VPCID>

I modified the template so that it works. I can only test in us-east-1 in my sandbox account, so I made changes for that region. You need to modify it further as your template is incomplete and I had to fill out a lot of blanks.
The template works and provisions the instance (from curl):
<div class="fixed-width-page">
<div class="bg-white tiled">
<h4 class="m-t-0">Welcome to Redash!</h4>
<div>Before you can use your instance, you need to do a quick setup.</div>
Full working template:
AWSTemplateFormatVersion: '2010-09-09'
Description: This template is used for creating redash analysis foundation
Resources:
####################################################################################################
#### NetWork Setting
####################################################################################################
VpcId:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: 'true'
EnableDnsHostnames: 'true'
RedashInstancePrivateSubnetA:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-1a #ap-northeast-1a
CidrBlock: "10.0.1.0/24"
VpcId: !Ref VpcId
Tags:
- Key: Name
Value: Private
PrivateSubnetARoute:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PrivateSubnetRouteTable
SubnetId: !Ref RedashInstancePrivateSubnetA
PrivateSubnetRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VpcId
NATGatewayForPrivateSubnetA:
Type: AWS::EC2::NatGateway
Properties:
AllocationId: !GetAtt NATGatewayAEIP.AllocationId
SubnetId: !Ref RedashALBPublicSubnetA
NATGatewayAEIP:
DependsOn: IGWAttachment
Type: AWS::EC2::EIP
Properties:
Domain: vpc
PrivateARoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PrivateSubnetRouteTable
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !Ref NATGatewayForPrivateSubnetA
RedashALBPublicSubnetA:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-1a #ap-northeast-1a
CidrBlock: 10.0.0.0/24
VpcId: !Ref VpcId
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: Public
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VpcId
InternetGatewayId:
Type: AWS::EC2::InternetGateway
Properties: {}
IGWAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref InternetGatewayId
VpcId: !Ref VpcId
#VpnGatewayId: String
PublicRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGatewayId
PublicSubnetARoute:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref PublicRouteTable
SubnetId: !Ref RedashALBPublicSubnetA
####################################################################################################
#### Re:dash EC2 Instance
####################################################################################################
RedashInstance:
Type: AWS::EC2::Instance
Properties:
LaunchTemplate:
LaunchTemplateId: !Ref RedashInstanceLaunchTemplate
Version: !GetAtt RedashInstanceLaunchTemplate.LatestVersionNumber
SubnetId: !Ref RedashInstancePrivateSubnetA
RedashInstanceLaunchTemplate:
Type: AWS::EC2::LaunchTemplate
Properties:
LaunchTemplateName: redash-isntance-lt
LaunchTemplateData:
SecurityGroupIds:
- !Ref RedashInstanceSecurityGroup
ImageId: ami-0d915a031cabac0e0 #ami-060741a96307668be
InstanceType: t2.small
RedashInstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: This Security Group is used for Re:dash Instance
GroupName: redash-instance-sg
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
#SourceSecurityGroupId: !Ref RedashALBSecurityGroup
VpcId: !Ref VpcId

Unable to connect EC2 instance using Session Manager

I am using Cloudformation to deploy EC2 instances into different VPC's. Using cloudformation I created a role and role profile and attached it to EC2 instance [Role in question is AmazonEC2RoleforSSM ]. Yet I am unable to connect to EC2 using the sane.
Here is the Cloudformation code:
AWSTemplateFormatVersion: 2010-09-09
Description: Test and Dev Environment
Resources:
VPCdev:
Type: "AWS::EC2::VPC"
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsHostnames: true
EnableDnsSupport: true
InstanceTenancy: default
Tags:
- Key: Name
Value: VPCdev
VPCtest:
Type: "AWS::EC2::VPC"
Properties:
CidrBlock: 192.168.0.0/16
EnableDnsHostnames: true
EnableDnsSupport: true
InstanceTenancy: default
Tags:
- Key: Name
Value: VPCtest
SubnetDev:
Type: "AWS::EC2::Subnet"
Properties:
AvailabilityZone: !Select [0, !GetAZs '']
CidrBlock: 10.0.1.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: SubnetDev
VpcId: !Ref VPCdev
SubnetTest:
Type: "AWS::EC2::Subnet"
Properties:
AvailabilityZone: !Select [0, !GetAZs '']
CidrBlock: 192.168.1.0/24
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: Subnettest
VpcId: !Ref VPCtest
IGWdev:
Type: "AWS::EC2::InternetGateway"
Properties:
Tags:
- Key: Name
Value: IGWdev
IGWtest:
Type: "AWS::EC2::InternetGateway"
Properties:
Tags:
- Key: Name
Value: IGWtest
IGWdevattachment:
Type: "AWS::EC2::VPCGatewayAttachment"
Properties:
InternetGatewayId: !Ref IGWdev
VpcId: !Ref VPCdev
IGWtestattachment:
Type: "AWS::EC2::VPCGatewayAttachment"
Properties:
InternetGatewayId: !Ref IGWtest
VpcId: !Ref VPCtest
RouteTabledev:
Type: "AWS::EC2::RouteTable"
Properties:
Tags:
- Key: Name
Value: RouteTabledev
VpcId: !Ref VPCdev
RouteTabletest:
Type: "AWS::EC2::RouteTable"
Properties:
Tags:
- Key: Name
Value: RouteTabletest
VpcId: !Ref VPCtest
defaultdev:
Type: "AWS::EC2::Route"
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref IGWdev
RouteTableId: !Ref RouteTabledev
defaulttest:
Type: "AWS::EC2::Route"
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref IGWtest
RouteTableId: !Ref RouteTabletest
Ec2InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: /
Roles: [ !Ref Ec2InstanceRole ]
Ec2InstanceRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [ ec2.amazonaws.com ]
Action:
- sts:AssumeRole
Path: /
sgdev:
Type: "AWS::EC2::SecurityGroup"
Properties:
GroupDescription: sgdev
GroupName: sgdev
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: sgdev
VpcId: !Ref VPCdev
sgtest:
Type: "AWS::EC2::SecurityGroup"
Properties:
GroupDescription: sgtest
GroupName: sgtest
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: sgtest
VpcId: !Ref VPCtest
instancedev:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-02d55cb47e83a99a0
InstanceType: "t2.micro"
IamInstanceProfile: !Ref Ec2InstanceProfile
NetworkInterfaces:
- AssociatePublicIpAddress: true
DeviceIndex: 0
GroupSet:
- !Ref sgdev
SubnetId: !Ref SubnetDev
Tags:
- Key: Name
Value: dev
instancetest:
Type: AWS::EC2::Instance
Properties:
ImageId: ami-02d55cb47e83a99a0
InstanceType: "t2.micro"
IamInstanceProfile: !Ref Ec2InstanceProfile
NetworkInterfaces:
- AssociatePublicIpAddress: true
DeviceIndex: 0
GroupSet:
- !Ref sgtest
SubnetId: !Ref SubnetTest
Tags:
- Key: Name
Value: test
Also attached is the error screenshot.
P.S: I tried manually doing it and it worked. Don't seem to understand where I went wrong, the stack gets succesfully built and all resources get deployed as well.
I am using Ubuntu 18.04 LTS Image, it comes pre installed with Session Manager

It does not work because your subnets are private, they don't have any internet connectivity.
Although you've created public route tables, they are not associated with any subnet.
The following should help:
MyRouteTableAssoc1:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTabledev
SubnetId: !Ref SubnetDev
MyRouteTableAssoc2:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTabletest
SubnetId: !Ref SubnetTest

Referencing the output of Parent stack in nested stack - Cloudformation

I am trying to create the nested stack but having trouble as I am new to this and still in learning process. I have created the vpc with 2 private and 2 public subnets. Then attached the internet-facing elb to 2 public subnets. I think I am not referencing it right. Vpc is created but while creating elb there is an error Output 'VpcID' not found in stack I think there might be a problem in the syntax as I am changing my previous file to nested stack. I might not be referencing right in the Internet facing elb stack.
Root stack:
---
AWSTemplateFormatVersion: 2010-09-09
Parameters:
bucketname:
Type: String
Description: Path to the bucket
Default: wahaj-webserver
bucketpath:
Type: String
Description: Path to the bucket
Default: /nested-stack
Resources:
Vpcstack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: !Sub "https://${bucketname}.s3.us-east-2.amazonaws.com${bucketpath}/vpc1.yml"
elb:
DependsOn: Vpcstack
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: !Sub "https://${bucketname}.s3.us-east-2.amazonaws.com${bucketpath}/internetfacing-elb.yml"
Parameters:
SubnetA: !GetAtt Vpcstack.Outputs.SubnetA
SubnetB: !GetAtt Vpcstack.Outputs.SubnetB
VpcID: !GetAtt Vpcstack.Outputs.VpcID
Vpc stack:
---
AWSTemplateFormatVersion: 2010-09-09
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 11.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
InstanceTenancy: default
InternetGateway:
Type: AWS::EC2::InternetGateway
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
SubnetA:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-2a
VpcId: !Ref VPC
CidrBlock: 11.0.0.0/24
MapPublicIpOnLaunch: true
SubnetB:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-2b
VpcId: !Ref VPC
CidrBlock: 11.0.1.0/24
MapPublicIpOnLaunch: true
SubnetC:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-2a
VpcId: !Ref VPC
CidrBlock: 11.0.2.0/24
MapPublicIpOnLaunch: false
SubnetD:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-2b
VpcId: !Ref VPC
CidrBlock: 11.0.3.0/24
MapPublicIpOnLaunch: false
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
RouteTable2:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
InternetRoute:
Type: AWS::EC2::Route
DependsOn: VPCGatewayAttachment
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
RouteTableId: !Ref RouteTable
SubnetARouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetA
SubnetBRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetB
SubnetCRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable2
SubnetId: !Ref SubnetC
SubnetDRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable2
SubnetId: !Ref SubnetD
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "Internet Group"
GroupDescription: "SSH traffic in, all traffic out."
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: "22"
ToPort: "22"
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
NAT:
Type: AWS::EC2::NatGateway
Properties:
AllocationId:
Fn::GetAtt:
- EIP
- AllocationId
SubnetId:
Ref: SubnetA
Tags:
- Key: Name
Value: wahaj-nat
EIP:
DependsOn: VPCGatewayAttachment
Type: AWS::EC2::EIP
Properties:
Domain: VPC
Route:
Type: AWS::EC2::Route
Properties:
RouteTableId:
Ref: RouteTable2
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId:
Ref: NAT
Outputs:
VpcID:
Description: VPC id
Value: !Ref VPC
Export:
Name: "VpcID"
SubnetA:
Description: public subnet
Value: !Ref SubnetA
Export:
Name: "SubnetA"
SubnetB:
Description: public subnet 2
Value: !Ref SubnetB
Export:
Name: "SubnetB"
SubnetC:
Description: priavte subnet
Value: !Ref SubnetC
Export:
Name: "SubnetC"
SubnetD:
Description: private subnet 2
Value: !Ref SubnetD
Export:
Name: "SubnetD"
Internet facing elb:
---
AWSTemplateFormatVersion: 2010-09-09
Resources:
wahajelb:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: wahaj-elb
VpcId:
Fn::ImportValue: "VpcID"
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
Description: For traffic from Internet
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Description: For traffic from Internet
GroupDescription: Security Group for demo server
MyLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
Listeners:
- LoadBalancerPort: "80"
InstancePort: "80"
Protocol: HTTP
SecurityGroups:
- !Ref wahajelb
LoadBalancerName: wahajelb
Subnets:
- Fn::ImportValue: "SubnetA"
- Fn::ImportValue: "SubnetB"
HealthCheck:
Target: HTTP:80/SamplePage.php
HealthyThreshold: "3"
UnhealthyThreshold: "5"
Interval: "30"
Timeout: "5"
Outputs:
ec2:
Description: ec2
Value: !Ref MyLoadBalancer
Export:
Name: "MyLoadBalancer"
lgsg:
Description: lg-sg
Value: !GetAtt wahajelb.GroupId
Export:
Name: "lgsg"

Your Vpc stack has an out out of vpcID not VpcID.
This must be an exact string match for it to be successfully referenced in your Root stack
Update your Vpc stack to the below
---
AWSTemplateFormatVersion: 2010-09-09
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 11.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
InstanceTenancy: default
InternetGateway:
Type: AWS::EC2::InternetGateway
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
SubnetA:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-2a
VpcId: !Ref VPC
CidrBlock: 11.0.0.0/24
MapPublicIpOnLaunch: true
SubnetB:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-2b
VpcId: !Ref VPC
CidrBlock: 11.0.1.0/24
MapPublicIpOnLaunch: true
SubnetC:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-2a
VpcId: !Ref VPC
CidrBlock: 11.0.2.0/24
MapPublicIpOnLaunch: false
SubnetD:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-2b
VpcId: !Ref VPC
CidrBlock: 11.0.3.0/24
MapPublicIpOnLaunch: false
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
RouteTable2:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
InternetRoute:
Type: AWS::EC2::Route
DependsOn: VPCGatewayAttachment
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
RouteTableId: !Ref RouteTable
SubnetARouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetA
SubnetBRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetB
SubnetCRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable2
SubnetId: !Ref SubnetC
SubnetDRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable2
SubnetId: !Ref SubnetD
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "Internet Group"
GroupDescription: "SSH traffic in, all traffic out."
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: "22"
ToPort: "22"
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
NAT:
Type: AWS::EC2::NatGateway
Properties:
AllocationId:
Fn::GetAtt:
- EIP
- AllocationId
SubnetId:
Ref: SubnetA
Tags:
- Key: Name
Value: wahaj-nat
EIP:
DependsOn: VPCGatewayAttachment
Type: AWS::EC2::EIP
Properties:
Domain: VPC
Route:
Type: AWS::EC2::Route
Properties:
RouteTableId:
Ref: RouteTable2
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId:
Ref: NAT
Outputs:
VpcID:
Description: VPC id
Value: !Ref VPC
Export:
Name:
Fn::Sub: "${AWS::StackName}-VpcID"
SubnetA:
Description: public subnet
Value: !Ref SubnetA
Export:
Name:
Fn::Sub: "${AWS::StackName}-SubnetA"
SubnetB:
Description: public subnet 2
Value: !Ref SubnetB
Export:
Name:
Fn::Sub: "${AWS::StackName}-SubnetB"
SubnetC:
Description: priavte subnet
Value: !Ref SubnetC
Export:
Name:
Fn::Sub: "${AWS::StackName}-SubnetC"
SubnetD:
Description: private subnet 2
Value: !Ref SubnetD
Export:
Name:
Fn::Sub: "${AWS::StackName}-SubnetD"

Passing parameters from parent stack to child stack in nested stack - Cloudformation

I am trying to pass the paramters to internet facing elb using root. I have created a nested stack with a root.yml acting as root and vpc and elb are the child stack. I am trying to pass the parameters from root to elb.yml but it gives an error Parameter values specified for a template which does not require them while creating elb. The nested stack runs fine till vpc but when it gets to elb it gives an error
Root.yml:
AWSTemplateFormatVersion: 2010-09-09
Parameters:
bucketname:
Type: String
Description: Path to the bucket
Default: webserver
bucketpath:
Type: String
Description: Path to the bucket
Default: /nested-stack
Resources:
Vpcstack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: !Sub "https://${bucketname}.s3.us-east-2.amazonaws.com${bucketpath}/vpc1.yml"
elb:
DependsOn: Vpcstack
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: !Sub "https://${bucketname}.s3.us-east-2.amazonaws.com${bucketpath}/internetfacing-elb.yml"
Parameters:
SubnetA: !GetAtt Vpcstack.Outputs.SubnetA
SubnetB: !GetAtt Vpcstack.Outputs.SubnetB
VpcID: !GetAtt Vpcstack.Outputs.VpcID
Vpc stack:
---
AWSTemplateFormatVersion: 2010-09-09
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 11.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
InstanceTenancy: default
InternetGateway:
Type: AWS::EC2::InternetGateway
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
SubnetA:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-2a
VpcId: !Ref VPC
CidrBlock: 11.0.0.0/24
MapPublicIpOnLaunch: true
SubnetB:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-2b
VpcId: !Ref VPC
CidrBlock: 11.0.1.0/24
MapPublicIpOnLaunch: true
SubnetC:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-2a
VpcId: !Ref VPC
CidrBlock: 11.0.2.0/24
MapPublicIpOnLaunch: false
SubnetD:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-2b
VpcId: !Ref VPC
CidrBlock: 11.0.3.0/24
MapPublicIpOnLaunch: false
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
RouteTable2:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
InternetRoute:
Type: AWS::EC2::Route
DependsOn: VPCGatewayAttachment
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
RouteTableId: !Ref RouteTable
SubnetARouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetA
SubnetBRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetB
SubnetCRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable2
SubnetId: !Ref SubnetC
SubnetDRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable2
SubnetId: !Ref SubnetD
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "Internet Group"
GroupDescription: "SSH traffic in, all traffic out."
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: "22"
ToPort: "22"
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
NAT:
Type: AWS::EC2::NatGateway
Properties:
AllocationId:
Fn::GetAtt:
- EIP
- AllocationId
SubnetId:
Ref: SubnetA
Tags:
- Key: Name
Value: ng-nat
EIP:
DependsOn: VPCGatewayAttachment
Type: AWS::EC2::EIP
Properties:
Domain: VPC
Route:
Type: AWS::EC2::Route
Properties:
RouteTableId:
Ref: RouteTable2
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId:
Ref: NAT
Outputs:
VpcID:
Description: VPC id
Value: !Ref VPC
Export:
Name: "VpcID"
SubnetA:
Description: public subnet
Value: !Ref SubnetA
Export:
Name: "SubnetA"
SubnetB:
Description: public subnet 2
Value: !Ref SubnetB
Export:
Name: "SubnetB"
SubnetC:
Description: priavte subnet
Value: !Ref SubnetC
Export:
Name: "SubnetC"
SubnetD:
Description: private subnet 2
Value: !Ref SubnetD
Export:
Name: "SubnetD"
internet facing elb:
---
AWSTemplateFormatVersion: 2010-09-09
Resources:
elb:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: sg-elb
VpcId:
Fn::ImportValue: "VpcID"
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
Description: For traffic from Internet
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Description: For traffic from Internet
GroupDescription: Security Group for demo server
MyLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
Listeners:
- LoadBalancerPort: "80"
InstancePort: "80"
Protocol: HTTP
SecurityGroups:
- !Ref elb
LoadBalancerName: elb
Subnets:
- Fn::ImportValue: "SubnetA"
- Fn::ImportValue: "SubnetB"
HealthCheck:
Target: HTTP:80/SamplePage.php
HealthyThreshold: "3"
UnhealthyThreshold: "5"
Interval: "30"
Timeout: "5"
Outputs:
ec2:
Description: ec2
Value: !Ref MyLoadBalancer
Export:
Name: "MyLoadBalancer"
lgsg:
Description: lg-sg
Value: !GetAtt elb.GroupId
Export:
Name: "lgsg"

The issue comes from the fact that you are passing 3 parameters to elb stack:
SubnetA: !GetAtt Vpcstack.Outputs.SubnetA
SubnetB: !GetAtt Vpcstack.Outputs.SubnetB
VpcID: !GetAtt Vpcstack.Outputs.VpcID
However, the elb template does not accept any parameters.
To rectify the issue, you should add Parameters section to the elb template. For example:
Parameters:
SubnetA:
Type: String
SubnetB:
Type: String
VpcID:
Type: String
Also, in the elb template you should be using !Ref instead of !ImportValue to reference the new parameters.

Security group does not belong to VPC

I am trying to create an internet facing elb. I have created vpc in ohio region (us-east-2). I have created 4 subnet. 2 public subnets and 2 private subnets.
Public subent: SubnetA (us-east-2a), SubnetB (us-east-2b)
Private subnet: SubnetC (us-east-2a) , SubnetD (us-east-2b)
When I give the availability zone to the load balancer it shows the following error Security group does not belong to VPC
---
AWSTemplateFormatVersion: 2010-09-09
Parameters:
SourceStackName:
Description: "Source stack name"
Type: String
AllowedPattern: "^[a-zA-Z][-a-zA-Z0-9]*$"
Default: "wahaj-vpc"
Resources:
wahajelb:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: wahaj-elb
VpcId:
Fn::ImportValue:
Fn::Sub: "${SourceStackName}-VpcID"
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
Description: For traffic from Internet
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Description: For traffic from Internet
GroupDescription: Security Group for demo server
MyLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
Listeners:
- LoadBalancerPort: "80"
InstancePort: "80"
Protocol: HTTP
SecurityGroups:
- !Ref wahajelb
LoadBalancerName: wahajelb
Subnets:
- Fn::ImportValue: !Sub "${SourceStackName}-SubnetC"
- Fn::ImportValue: !Sub "${SourceStackName}-SubnetD"
HealthCheck:
Target: HTTP:80/SamplePage.php
HealthyThreshold: "3"
UnhealthyThreshold: "5"
Interval: "30"
Timeout: "5"
I am new to this so please if any changes is required to the template do tell me I might have made some mistakes.
Vpc template
---
AWSTemplateFormatVersion: 2010-09-09
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 11.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
InstanceTenancy: default
InternetGateway:
Type: AWS::EC2::InternetGateway
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
SubnetA:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-2a
VpcId: !Ref VPC
CidrBlock: 11.0.0.0/24
MapPublicIpOnLaunch: true
SubnetB:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-2b
VpcId: !Ref VPC
CidrBlock: 11.0.1.0/24
MapPublicIpOnLaunch: true
SubnetC:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-2a
VpcId: !Ref VPC
CidrBlock: 11.0.2.0/24
MapPublicIpOnLaunch: false
SubnetD:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-east-2b
VpcId: !Ref VPC
CidrBlock: 11.0.3.0/24
MapPublicIpOnLaunch: false
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
RouteTable2:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
InternetRoute:
Type: AWS::EC2::Route
DependsOn: VPCGatewayAttachment
Properties:
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
RouteTableId: !Ref RouteTable
SubnetARouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetA
SubnetBRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable
SubnetId: !Ref SubnetB
SubnetCRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable2
SubnetId: !Ref SubnetC
SubnetDRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId: !Ref RouteTable2
SubnetId: !Ref SubnetD
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "Internet Group"
GroupDescription: "SSH traffic in, all traffic out."
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: "22"
ToPort: "22"
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 0.0.0.0/0
NAT:
Type: AWS::EC2::NatGateway
Properties:
AllocationId:
Fn::GetAtt:
- EIP
- AllocationId
SubnetId:
Ref: SubnetA
Tags:
- Key: Name
Value: wahaj-nat
EIP:
DependsOn: VPCGatewayAttachment
Type: AWS::EC2::EIP
Properties:
Domain: VPC
Route:
Type: AWS::EC2::Route
Properties:
RouteTableId:
Ref: RouteTable2
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId:
Ref: NAT
Outputs:
vpcID:
Description: VPC id
Value: !Ref VPC
Export:
Name:
Fn::Sub: "${AWS::StackName}-VpcID"
SubnetA:
Description: public subnet
Value: !Ref SubnetA
Export:
Name:
Fn::Sub: "${AWS::StackName}-SubnetA"
SubnetB:
Description: public subnet 2
Value: !Ref SubnetB
Export:
Name:
Fn::Sub: "${AWS::StackName}-SubnetB"
SubnetC:
Description: priavte subnet
Value: !Ref SubnetC
Export:
Name:
Fn::Sub: "${AWS::StackName}-SubnetC"
SubnetD:
Description: private subnet 2
Value: !Ref SubnetD
Export:
Name:
Fn::Sub: "${AWS::StackName}-SubnetD"
Autoscaling template
---
AWSTemplateFormatVersion: 2010-09-09
Parameters:
SourceStackName:
Description: "Source stack name"
Type: String
AllowedPattern: "^[a-zA-Z][-a-zA-Z0-9]*$"
Default: "wahaj-vpc"
elb:
Description: "elb"
Type: String
AllowedPattern: "^[a-zA-Z][-a-zA-Z0-9]*$"
Default: "wahaj-elb"
bastion:
Description: "bastion host"
Type: String
AllowedPattern: "^[a-zA-Z][-a-zA-Z0-9]*$"
Default: "wahaj-bastion"
Resources:
wahajwebserver:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: wahaj-webserver
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
SourceSecurityGroupId:
Fn::ImportValue: !Sub "${bastion}-bsgId"
Description: For traffic from Internet
- IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupId:
Fn::ImportValue: !Sub "${elb}-lgsg"
Description: For traffic from Internet
GroupDescription: Security Group for demo server
VpcId:
Fn::ImportValue:
Fn::Sub: "${SourceStackName}-VpcID"
ec2instance:
Type: AWS::AutoScaling::LaunchConfiguration
Properties:
BlockDeviceMappings:
- DeviceName: /dev/xvda
Ebs:
DeleteOnTermination: "true"
VolumeSize: "8"
VolumeType: gp2
ImageId: ami-0bdcc6c05dec346bf
InstanceType: t2.micro
IamInstanceProfile: !Ref ListS3BucketsInstanceProfile
KeyName: wahaj(webserver)
SecurityGroups:
- Ref: wahajwebserver
ListS3BucketsInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- Ref: S3FullAccess
ListS3BucketsPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: ListS3BucketsPolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
- s3:List*
Resource: "*"
Roles:
- Ref: S3FullAccess
S3FullAccess:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
myASG:
Type: AWS::AutoScaling::AutoScalingGroup
Properties:
AvailabilityZones:
- "us-east-2a"
- "us-east-2b"
AutoScalingGroupName: myASG
LoadBalancerNames:
- Fn::ImportValue: !Sub "${elb}-MyLoadBalancer"
MinSize: "2"
MaxSize: "2"
DesiredCapacity: "2"
HealthCheckGracePeriod: 300
LaunchConfigurationName:
Ref: ec2instance
VPCZoneIdentifier:
- Fn::ImportValue: !Sub "${SourceStackName}-SubnetC"
- Fn::ImportValue: !Sub "${SourceStackName}-SubnetD"
Outputs:
Autoscaling:
Description: autoscaling
Value: !Ref myASG
Export:
Name:
Fn::Sub: "${AWS::StackName}-myASG"
ec2instance:
Description: ec2instances
Value: !Ref ec2instance
Export:
Name:
Fn::Sub: "${AWS::StackName}-ec2instance"
sg:
Description: ec2instances securitygroup
Value: !GetAtt wahajwebserver.GroupId
Export:
Name:
Fn::Sub: "${AWS::StackName}-sg"

This is because the ELB and the security group reside within separate VPCs.
Your template has commented out the subnets which result in the load balancer being created in the default VPC of that region, however your security group explicitly sets a VPC ID. Therefore they are in separate VPCs.
It is always good practice to ensure that you define the VPC ID/subnet ID of resources that support it, for some resources such as EC2 without this property they will always replace when you make a change (such as changing a tag) via CloudFormation.